What Happens When Security Companies Fail at Security?

Several recent cyber attacks have successfully targeted organizations that should be poster children for security hygiene. Why are even the most security-conscious organizations being compromised, and what does it mean for everyone else?

Examining recent high-profile cyber attacks

The most prominent attack was the Equifax breach, which exposed sensitive data of over 145 million people. Prior to the report of the breach, Equifax was trusted (implicitly by all and explicitly by many) by consumers and businesses to protect highly sensitive data. Equifax even upsells services to detect and counteract identity theft. This latest breach is causing a new wave of soul-searching by organizations not seen since the Target and Home Depot breaches, which opened the eyes of many to the dangers of testing only high-risk applications.

On the government side, the Securities and Exchange Commission (SEC) recently announced a breach from 2016 that might have given intruders access to nonpublic information for illegal trading.

Avast, an antivirus company, disclosed that one of its popular software utilities had been hijacked by hackers and loaded with a backdoor that evaded the company’s security checks and wound up installed on 700,000 computers. Furthermore, evidence suggests the attackers specifically targeted several tech giants for a second-stage malware attack intended for industrial espionage.

Finally, the NSA was recently in the news with a breach when it was reported that Russia had obtained detailed data regarding how the United States defends against cyberthreats and how the NSA monitors foreign computer networks. This data was obtained by hackers supposedly working for the Russian government.

Designing, developing, and deploying secure software

So why is it that credit bureaus, financial regulators, and security companies are getting beaten by the bad guys? The answer is that building secure software is not a trivial task. Software security is a complex challenge that can’t be addressed by cutting-edge technology alone or by throwing people at the problem.

The cold, hard fact is that software security is an ongoing journey, not a point-in-time obstacle that needs to be hurdled. Organizations must be committed to starting on the journey and staying with it for the long term. Organizations need to build security into their DNA, with a comprehensive and orchestrated software security initiative that dictates how software is designed, developed, and deployed.

Allow me to provide a concrete example.

The Equifax breach has been traced to an unpatched vulnerability in an open source framework (Apache Struts) used by one of Equifax’s web applications. This was a known vulnerability with a readily available patch. There is no shortage of tools that can identify open source in applications and report on the vulnerabilities of the discovered open source elements. So why was this vulnerability not found and closed?

Using real data to measure software security

For an answer, let’s consult the findings in the Building Security In Maturity Model (BSIMM), which provides real data on how real-world organizations are embracing a holistic approach to software security. The idea is to use real data to show where we are succeeding with software security and where the challenges exist. The BSIMM also allows organizations to see how they score against other organizations in their vertical, and provides them a score they can use to gauge the improvement of their business processes over time. The BSIMM study is licensed under a Creative Commons license and can be downloaded for free.

Version 8 of the BSIMM measures 113 security activities of 109 participating organizations. Two of those activities measure whether an organization systematically identifies open source components in their software (Activity SR2.4) and whether the organization takes steps to control the risks associated with those components (Activity 3.1). The statistics are revealing:

· SR2.4—Identify open source:v23% participation rate

· SR3.1—Control open source risk:v9% participation rate

Controlling open source software risk

As the BSIMM data shows, only 1 in 4 organizations is systematically identifying open source software (OSS) in their software portfolios, and less than 1 in 10 are proactively controlling OSS risk. The risks of open source are clearly understood, and those risks become increasingly important as a greater and greater degree of every application is composed of open source components. In fact, the Open Source Security Analysis 2016 report by Black Duck says that 67% of applications that they examined contained a known open source–related vulnerability.

The data on the practices surrounding open source and the potential consequences illustrated by the Equifax breach provide clear insight as to why even the most progressive companies can be successfully attacked. As I have stated in previous articles, 50% of the vulnerabilities in software are flaws in the design and architecture of the application, but security is seldom considered in the early stages of development. Organizations strive to apply good security practices to the software development life cycle, but competitive pressures often force organizations to sacrifice security to increase the delivery velocity of software.

Summing it up

In the end, there is a lot of flawed, vulnerable software out there, and the bad guys know that software is a viable entry point. Organizations are putting more emphasis on building security into software, but we have a long way to go. So don’t be surprised if you wake up tomorrow and see in the headlines a breach that makes the Equifax fiasco look like child’s play.

Jim Ivers is VP of Marketing for the Software Integrity Group at Synopsys. Jim is a 30-year technology veteran who has spent the last ten years in IT security. Prior to Cigital, Jim was the CMO at companies such as Covata, Triumfant, Vovici, and Cybertrust, a $200M security solutions provider that was sold to Verizon Business. Jim also served as VP of Marketing for webMethods and VP of Product Management for Information Builders.